What I don't get (read: I've only had one cup of coffee so far this morning) is why if you can drop or mangle it, you can't queue it.
I looked elsewhere for confirming/disagreeing viewpoints. Not being a proof by induction devotee or abuser, I stopped at three; there was no doubt expressed in other references, no ifs ands or buts in the other literature. Just straight forward.
Is Janis correct in that it can be done (by qualified folks); if not, why can't it be done (by qualified folks)?
If it can't be done, are _we_ saying it is a Linux limitation or a RouterOS limitation? I doubt Linux is the limitation because a major player is using Linux to supplement the OS for their routers.
rgds/ldv
Neeraj_k's original post which opened this recent thread was:
Normis is held in great respect, along with everyone else quoted, including the original poster:Hi,
newer p2p applications hides themselves and are not seen by p2p filter. Any solution for tht
thnx
=====Genesis=====please list application names and versions that are not blocked by this rule:
[/http://www.cuwin.net/manual/techdocs/ipschema]Code: Select all/ip firewall filter add chain=forward p2p=all-p2p action=drop
Cmit:
What IS true (and this is cleary said so by MikroTik) is that you cannot BANDWIDTH SHAPE most (all?) encrypted P2P connections...
Janis:
Serjejs:indeed you can kill but you cannot shape it
and normis asked for programs you cannot kill.
Then Janis said:I can offer two ways to drop p2p traffic,
- first method, to mark connections with appropriate p2p mark on the firewall mangle, then drop them.
- second method, use firewall to allow known traffic and drop anything else.
Serjejs:every week someone is discussing how to drop p2p traffic, or limit it somehow.every week new topic.
if you took "oh mighty" search and searched dropping p2p, limiting p2p you would finally bump on macgaiver's post how to drop encrypted p2p
good luck
A while back in Sep 2006, Sten:Ares protocol can only be droped, speed limiting is impossible for it, matcher p2p=warez is used for that.
As well encrypted torrent can be only dropped.
I asked you; "...., but why can't you shape it when you can identify it and block it?". Here i clearly indicated on the assumption that you can identify it since you say you can block it.
Marin said:
Janis said:I noticed that also the marking rule is no more effective. The only clue whats come to me is mark selected traffic like http, ftp, pop3, smtp, some communicators and give them higher prioriety. All the rest of traffic mark as other garbage and give it the lowest priorety.
Marcin
yes, that is solution, but creating that you have to be very careful. and for majority it is somehow complicated due to limited knowledge of ROS
good luck.
Looking at a customer facing FE0/1 on a distribution router at a wireless pop:
Code: Select all
FastEthernet0/1
Input Output
----- ------
Protocol Packet Count Packet Count
Byte Count Byte Count
30sec Bit Rate (bps) 30sec Bit Rate (bps)
30sec Max Bit Rate (bps) 30sec Max Bit Rate (bps)
------------------------ ------------------------ ------------------------
http 33386114 41506060
12947627315 48962691283
241000 929000
2783000 13076000
bittorrent 31216340 22069622
32378369610 8094153680
10000 1000
4137000 5895000
h323 8141040 8869654
6619098541 5081481705
0 0
1624000 3392000
gnutella 10144605 10598448
3190792138 7069611738
6000 6000
1007000 2870000
smtp 1476012 2153958
636255197 702547996
1000 12000
1173000 1598000
pop3 1144245 1655044
110616900 1182300378
1000 6000
602000 1213000
ftp 185410 138717
224842849 50409831
0 0
1065000 472000
skype 2924281 3306808
767707166 972825768
3000 4000
678000 739000
secure-http 1362219 1387027
352306436 902920285
12000 66000
78000 1317000
ipsec 2222784 2725508
411995180 508356380
9000 14000
582000 710000
rtsp 571107 859992
44031000 1139835728
0 0
32000 1176000
sqlnet 2417 6799
1839805 7219644
0 0
69000 779000
rtcp 1127479 626793
137337283 104729620
0 0
136000 684000
novadigm 27432 46061
6100888 42078593
0 0
106000 562000
--More--